Friday, May 19, 2006

Bad unintended consequences of HR 5417

(I should preface this by saying that I am not a lawyer, only a relatively well-informed layman who has demonstrated the ability to win lawsuits against telemarketers without using an attorney.)

Some network neutrality advocates are promoting James Sensenbrenner and John Conyers' HR 5417 as a step in the right direction for putting network neutrality into law. But HR 5417 is a badly written bill with some serious negative implications. (There are a bunch of other network neutrality bills in the works, which I haven't yet examined.)

First, it turns all NSPs and ISPs into "broadband network providers" even if they don't provide any residential consumer services. All that matters is whether you provide two-way Internet at speeds of 200 kbps or greater.

Second, it prohibits preventing anyone from sending or receiving traffic that is legal. This means ISPs cannot have acceptable use policies against spammers that go beyond what is required by the federal CAN-SPAM law except in states which have stricter laws, and they have to sell service to known spammers who comply with CAN-SPAM, and you can't kick adware companies off your network until and unless the specific abusive actions they are taking are made illegal.

Third, it says that if you provide a custom service like IP Video or VOIP interconnection at a higher class of service, you must allow your customers to connect to that "type" of service to any other provider of IP Video or VOIP, regardless of location, whether those providers are customers of yours or not. But if you don't provide those services over the Internet, who is supposed to bear the costs of interconnection to providers who aren't customers?

Fourth, it prohibits all restrictions on what devices users can connect to the network except on grounds of physical harm or degrading the service of others. But what if you offer a specialized service that only supports some vendors' equipment, and has to have a particular configuration to function properly? This seems to say that you have to let customers configure unsupported or incorrectly configured equipment to the network.

This bill is a nice example of bad unintended consequences.

(Also see Richard Bennett's Original Blog.)

Misinformation from "Save the Internet"

The little cartoon movie from "Hands Off the Internet" (an organization funded by member organizations that include major telcos and equipment vendors) has led to a response from "Save the Internet" (advocates of net neutrality funded by MoveOn.org and others).

"Save the Internet" claims that the cartoon is "a clever piece of industry propaganda that is riddled with half-truths and outright lies." It then quotes a few passages from the cartoon and offers responses. Unfortunately, it is "Save the Internet"'s response that contains misinformation, and it fails to point out any alleged lies.

In what follows, I'll quote directly from the "Save the Internet" response (including the quotes from the "Hands Off" cartoon they are responding to) and then respond to each point.
The big telecom companies say: "Is the Internet in Danger? Does the Internet need saving? It keeps getting faster. We keep getting more choices."

The truth: Right now AT&T and others want to take away your choices and control what you can do and watch online. They're on their best behavior while trying to convince Congress to hand over the Internet. But if their high-priced lobbyists get their way in Washington, the Internet as we know it will be gone. Network Neutrality has always curbed the control of the network owners, invited competition and encouraged innovators. It's what made it possible for entrepreneurs and creative thinkers to prosper online. None of the big ideas that made the Internet the innovative engine it is today came from the cable or telephone companies.

Notice that there's no evidence supplied to support the claim that "AT&T and others want to take away your choices and control what you can do and watch online." What the telcos want to do is build new last-mile consumer services by installing a new fiber-to-the-home infrastructure, over which they can offer services in addition to and distinct from the public Internet, just as they currently offer voice telephony as a service separate and distinct from the public Internet. Specifically, they want to offer digital television services and potentially new services which they control, following the model of the cable industry. The telcos' real desire is to compete with the cable industry and be regulated in much the same way. They further want to be able to charge content providers to be able to provide services over this new fiber, because they know that consumer fees alone are not sufficient to recover their costs in rolling out this new infrastructure. (BTW, my opinion is that just as the cable companies lost leverage over content providers as a result of competition from direct broadcast satellite, telcos will lose or fail to gain leverage over content providers using new services over fiber-to-the-home, as a result of competition from wireless broadband providers, as well as from cable companies.)
The big telecom companies say: "Building the next generation of the Internet is going to take a lot of work and cost a lot of money. And some big corporations can't wait to use it.... They're going to make billions. But they don't want to pay anything. Instead they want to stick consumers with the whole bill."

The truth: Nobody is getting a free ride on the Internet. Any Web site or service you use on the Internet has already paid these providers to reach you -- just like you pay to send e-mail and download files. In fact, total expenses from major content and service providers to expand network capacity totaled about $10 billion last year. But the cable and phone companies want even more -- forcing content providers to pay protection money to get a spot in the fast lane. Who do you think will pay that bill? You will … big time. The costs will be passed directly to consumers. If Net Neutrality is so bad for consumers, why do ALL the major consumer groups support it and ALL the major phone companies oppose it? Who do you trust more to defend your Internet rights? Without meaningful protections of Net Neutrality, there will be less choice on the Internet and higher prices, at a time we're already falling far behind the rest of the world.

It's true that content providers are paying Internet providers today to reach the "eyeball customers" of the telcos and cable companies. But they are reaching them over today's best-effort Internet, not over the new infrastructure they want to build out. Now, here there is a real issue, but it's one that advocates of net neutrality have tended to obscure rather than illuminate, and that is that today, telcos are required to allow other Internet providers to provide service over their last-mile consumer broadband (DSL) circuits, and the courts recently ruled that this will no longer be required, putting the telcos on the same footing as the cable companies, which have never been required to share their networks. The difference between the two is that the telcos were given free rights-of-way to build their networks, were given monopoly status for local telephony status, and received huge tax breaks and subsidies in the form of universal service fees collected from long distance providers; this form of public funding justified the common carriage requirements that made them allow their networks to be used by other players that compete with them. The cable companies, by contrast, got none of these benefits and have to pay a portion of their revenues to local municipalities as part of their franchise agreement in an area. The cable model actually seems to be a better model and to be more competitive, though I think both are far from ideal. In any case, the empirical evidence is that the more competition there is for broadband Internet services, the lower the costs to consumers and the more innovation we see.

The big telecom companies say: "These corporations are asking Congress to create volumes of new regulations to control how content is delivered over the Internet. Should politicians and bureaucrats replace network administrators? It will be the first major government regulation of the Internet and it will fundamentally change how the Internet works. These big corporations and the SavetheInternet campaign want the government to take control of the Internet."

The truth: There's nothing new about Net Neutrality. It has been a fundamental part of the Internet since its inception. As a tenet of communications policy, it goes back some 70 years. Only last year did the Supreme Court uphold a bad decision by the Federal Communications Commission to do away with the rules that forced cable and phone companies to open up their networks to competitors. Those rules protected Internet freedom by ensuring lots of competition (think of all the choices you've had for long distance service or dial-up Web access). In fact, these rules still protect the Internet under a temporary FCC ruling. All a Net Neutrality law would do is maintain the even playing field we've always enjoyed -- by preventing big cable and telephone corporations from taking over as gatekeepers.

Now here's where "Save the Internet" goes completely off the rails. Net Neutrality has not been "part of the Internet since its inception" nor does it go back 70 years. This is a confusion about common carriage requirements on telco's networks vs. Internet services. When other DSL services use telco last-mile circuits to reach their customers, they are providing their own Internet services, not the telcos. They aren't using the telco's Internet networks at all. ISPs have never been classified as "common carriers" or required to connect anyone to their networks. Rather, they've been classified as information services or enhanced services, and exempted from common carriage requirements. Internet interconnection is governed by peering arrangements which are arranged either privately between two ISPs or network service providers, or by connecting to a public peering point and governed by the rules of the organization managing that peering point (itself a private, not government, organization).

The sentence about the Supreme Court upholding a bad FCC decision "to do away with the rules that forced cable and phone companies to open up their networks to competitors" is just mistaken in its inclusion of cable companies. Cable companies have never been required to open up their networks to competitors.

(UPDATE May 21, 2006: Timothy Karr of Save the Internet says that the "goes back some 70 years" remark does not refer to common carriage, but he hasn't yet told me what it is referring to. I'll update this entry when he does.)
The big telecom companies say: "The net neutrality issue is a fundamental question about who should control the Internet: The people or the government? And it's a fight about who's going to pay: multi-billion dollar corporations or you?"

The truth: Who should control the Internet? Now that's a good question. But the real choice we face is whether we're going to keep the good government policy that has protected Internet freedom, created a truly free market in content and services, and encouraged free speech to flourish online -- or let predatory companies like AT&T and Comcast rewrite our telecommunications law and place their chokehold on online content and services. For the entire history of the Internet, Web sites and online ideas have succeeded or failed on their own merit based on decisions now made collectively by millions of users. Getting rid of Net Neutrality will hand these decisions over to a cartel of broadband barons. Do we really want Ma Bell and the Cable Guy picking the next generation of winners and losers on the Internet?

This repeats the false claim that net neutrality has been a government policy in force all along, when in fact what "Save the Internet" is advocating is the introduction of new laws which give the FCC the power to regulate the Internet. What "Save the Internet" fails to recognize is that the telcos are an extremely powerful lobbying force in Washington, D.C., and that giving the FCC this power will not change that. Further, the FCC is run by commissioners who want to do more to regulate content for "indecency," and, if given the power to regulate the Internet, that would likely not be far behind. If they have the power to say that ISPs must allow service to X, they're probably also going to have the power to say that ISPs must not allow service to Y. But those are decisions that should be left in the hands of the ISPs, in a competitive environment where the consumer has the power to switch ISPs.

"Save the Internet" tends to avoid spelling out specifically what they are asking for, which is the biggest problem with "net neutrality" advocates. The term seems to mean different things to different people, and a lot of people interpret it to mean prohibition on certain kinds of contractual arrangements and services between providers of network services and their customers that are already common and extremely useful today (e.g., paying for different classes of service).

If you want a better understanding of the issues in the "net neutrality" debate, I can't recommend a better source than the Stifel/Nicolaus analysis, "Value Chain Tug of War" (PDF). Read it, and whichever position you argue for will be better served.

(UPDATE May 20, 2006: Here's a much better commentary on the "Hands Off" cartoon from a net neutrality advocate, Harold Feld, though he also gets some facts wrong. For example, he says that at the time of "Computer Proceedings I" (1971) AT&T was "the only telephone company." It was by far the major player and had attempted earlier to acquire the rest, but this was put to a stop in 1913 via anti-trust action when it tried to acquire Western Union. It was required to allow the remaining independent local telco players to interconnect. These included Rochester Telephone in NY (which was my employer when it was called Frontier). In 1971 AT&T had 100 million subscribers and the independents had 25 million.)

Thursday, May 18, 2006

Late 1990s NSA program

The Baltimore Sun has reported on a shelved 1990s NSA program to collect and analyze phone records which had the following features:
*Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

Perhaps this program was brought back after 9/11? If such records were maintained with phone number and caller information encrypted until needed, and decrypted only with appropriate legal authorization, would that enable Verizon and BellSouth to truthfully deny having supplied the records to the NSA? I don't think so, unless the system was in the possession of the phone companies and didn't release data to the NSA until legal authorization was obtained. But would such a system be objectionable? So long as the controls genuinely prevented abuse and legal authorizations were really obtained for each use, I don't think it would be. (Via Talking Points Memo.)

BTW, in a New York Times story in which Verizon denied turning over records to the NSA (which BellSouth has also denied), Tony Rutkowski of Verisign is quoted suggesting that the NSA may have collected long-distance phone records rather than local calls. The article notes that Verizon's denial seems to leave the door open to the possibility that MCI, which Verizon recently acquired, had turned over data. Verisign, it should be noted, has been attempting to develop a business where it acts as a third-party manager for subpoenas and wiretapping for phone companies. While the telcos have strongly attempted to block attempts by the government to expand its wiretapping capabilities into the VOIP and Internet arenas (in part on the grounds that the CALEA statutes do not cover them, and also because the infrastructure expense is placed entirely on the telcos), Verisign has supported the government's efforts, as these filed comments with the FCC make clear (red means support for expanded government wiretapping capability, blue means opposition).

You'll note that Verisign is uniformly supportive of the government, and of the three telcos that have come under fire for giving data to the NSA, two are uniformly opposed (BellSouth and SBC (now AT&T)) and one is partly opposed and partly supportive (Verizon). I'm happy to note that my employer, Global Crossing, is not only on record as opposed, but filed comments which addressed more of the issues than most of the other filers.

(UPDATE May 19, 2006: Apparently the 1990s program was called ThinThread.)

Wednesday, May 17, 2006

Cory Maye's new attorneys file legal brief

Radley Balko at The Agitator is on top of it:
If you’ve read anything at all about this case, I’d urge you to take a look at the brief. I realize that a brief’s legal effectiveness is a very different thing than its general pursuasiveness, particularly briefs filed in almost perfunctory post-trial motions like this one. Since I’m not really qualified to comment on its legal merits, I’ll keep my comments limited to its general pursuasiveness.

To that end, it’s devastating. The difference between the top-notch legal representation Cory Maye has now and the minimal representation he had at trial is striking (and frightening, given the stakes). I can’t see anyone reading this thing through and still believing that Maye is the slightest bit guilty, much less that he should be executed. At worst, you could perhaps make the case that Maye acted recklessly, and might have been tried for manslaughter. I wouldn’t agree. But I probably wouln’t be making trips to Mississippi to investigate, or blathering endlessly on my blog, either. Of course, I still think the guy should not only be released from prison, but compensated.
The brief, from Bob Evans, Orin Kerr, and attorneys at D.C. firm Covington and Burling, is here (PDF). There's also a forensics review here (Word doc), and a review of the autopsy report of Officer Jones here (PDF).

I've had the pleasure of meeting and briefly working with some Covington and Burling attorneys in the past (though none of the ones who worked on this brief), and found them to be incredibly bright and professional people. They also won a multimillion-dollar lawsuit against Fax.com, which makes them good guys in my book.

Net Neutrality and the Pace of Innovation

Some advocates of net neutrality have advocated nationalization of "the Internet backbone" (see, for example, the comments of Paul and Frank at Richard Bennett's Original Blog). The idea that there is such a thing as "the Internet backbone" is itself a confusion about what telcos contribute to the Internet, but what was the pace of innovation when telephony was a highly regulated government monopoly in the United States?

Touch-Tone was developed in the late 1950's.

It was promoted at the Bell System Pavilion at the 1962 Seattle World's Fair, as can be seen in this fascinating short film, "21st Century Calling" (a bonus feature on the DVD of the Mystery Science Theatre 3000 episode, "The Killer Shrews"). Other features promoted in the film include call forwarding and three-way calling.

Bell Labs officially announced Touch-Tone as a feature (PDF) in 1964.

Touch-Tone was rolled out to consumers in the 1980s as a feature which consumers had to pay extra for, even though it cost nothing more to provide. The SS7 electronic switching infrastructure costs were covered by consumer fees such as the monthly fee for Touch-Tone service, and then used to roll out new services to businesses, subsidized by consumers.

Time from innovation to deployment: over two decades.

Tuesday, May 16, 2006

VA Hospital Spiritual Assessments

Mark Vuletic at the Secular Outpost reports on the Freedom From Religion Foundation's lawsuit against the Department of Veteran's Affairs for conducting "basic spiritual assessments" as part of admissions procedures. The "spiritual assessments" are used to determine whether patients require treatment for "spiritual injury or sickness."

Forever Pregnant / Start Making More Babies

Today's Washington Post reports (via Donna Woodka's blog):

New federal guidelines ask all females capable of conceiving a baby to treat themselves -- and to be treated by the health care system -- as pre-pregnant, regardless of whether they plan to get pregnant anytime soon.

Among other things, this means all women between first menstrual period and menopause should take folic acid supplements, refrain from smoking, maintain a healthy weight and keep chronic conditions such as asthma and diabetes under control.

And, as Stephen Colbert pointed out on last night's Colbert Report, Fox News' John Gibson on May 11 advised his viewers to get busy making more babies:

Make more babies. That's the lesson drawn out of two interesting stories over the last couple days.

First, a story Wednesday that half the kids under 5 years old in this country are minorities. By far, the greatest number are Hispanic.

Know what that means? Twenty-five years and the majority population is Hispanic.

Why is that? Hispanics are having more kids and others, notably the ones Hispanics call gabachos — white people — are having fewer.

Now in this country, European ancestry people — white people — are having kids at a rate that sustains the population, even grows it a bit.

That compares to Europe where the birthrate is in the negative zone. They're not having enough babies to sustain the population.

...

To put it bluntly: We need more babies. Forget that zero population growth stuff of my poor, misled generation.

Why is this important? Because civilizations need populations to survive.

So far we're doing our part here in America, but Hispanics can't carry the whole load.

The rest of you: Get busy. Make babies.

Or put another way, a slogan for our times: Procreation not recreation.

That's My Word.

(Note that the full context of his remarks is not blatantly racist, as it appeared on The Colbert Report.)

Sunday, May 14, 2006

Even more serious Diebold voting machine flaws

Harri Hursti of Black Box Voting has released a report (PDF) on yet more flaws (on top of others reported back in December) in Diebold TSx and TS6 Direct-Recording Electronic (or DRE) voting machines. Having a few minutes of physical access to a machine makes it possible to install software, using simple, easily available tools, which will completely compromise the machine in such a way that it will be impossible to tell whether future software updates are successful or not.

Ed Felten and Avi Rubin give more detail at Felten's blog, Freedom to Tinker, and question whether it makes sense to build voting machines based on commodity hardware and operating systems due to these risks. This certainly seems like an application where you'd want hardware-enforced verification of a stripped-down trusted computing platform.

Hursti's report says that there are three layers of software in the Diebold machines: a boot loader, an operating system (customized Windows CE), and an application program (the voting software). Each of the three layers has backdoors which allow bypassing security controls. The report states that "Different files on the system carry various subsets of the following features: Signature check, mode check, and integrity check. None of these can be considered security features against tampering. For example, the integrity check is [redacted]. This check can be equated to a very crude spell-checker. It is effective against accidental typing errors but not deliberate attacks."

The redacted portion, based on the description, is apparently a weak checksum such as CRC (cyclic redundancy check), rather than a cryptographically stronger checksum like MD5 or SHA1 (both of which have weaknesses of their own).

The Hursti report describes how an attacker could exploit the weaknesses at multiple levels to prevent the removal of malicious code. One such flaw (the details of which are redacted from the report) is that inserting a standard PCMCIA memory card into the machine containing a file with the appropriate name will cause the boot loader to reflash itself, installing the code in that file as the new boot loader on the system. As Hursti points out, "Due to the fact that the boot loader is the primary mechanism for its own reprogramming, if the boot loader is compromised with a deep attack, using the boot loader itself to install a known clean version of a boot loader is no longer a viable option as a recovery path to clean the system."

The report goes on to show similar flaws in replacing the operating system image, and points out a voter-accessible hidden button (labeled "battery test") that could be exploited by malicious code as a trigger for an attack.

The recommended defense against attacks is to physically protect the machines--as a machine can be compromised with less than five minutes of physical access, chain of custody evidence must be maintained from the machines' origin to final use, with no unsupervised access.

$5 billion lawsuit filed against Verizon

Two New Jersey attorneys, Bruce Afran and Carl Mayer, have filed a lawsuit in federal court in New York City against Verizon regarding its sharing of call-detail records with the NSA without a subpoena. The lawsuit charges that Verizon has violated a number of federal laws, including the 1986 Stored Communications Act (28 USC 2701), which provides for $1,000 in statutory damages for each violation. Some reports have quoted a $50 billion figure based the potential of one violation regarding the information of each of 50 million people, but the suit as filed asks for $1,000 per violation, or $5 billion if certified as a class action.

The Stored Communications Act is a confusingly-written piece of the Electronic Communications Privacy Act that covers both content records (such as email) as well as non-content records (such as log information and subscriber information). One of the exceptions in the law for when a provider can supply non-content information to a governmental entity without a subpoena is if (quoting from a commentary by law professor Orin Kerr) "the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This seems like a defense that Verizon will be likely to use to justify a program that's supposed to be used to identify and stop terrorists.

Verizon claims that it "does not, and will not, provide any government agency unfettered access to our customer records or provide information to the government under circumstances that would allow a fishing expedition."

RCN, a telecom and Internet provider (its assets include the former Erols Internet) based in Herndon, VA, has issued a press release stating that it, like Qwest, has not disclosed customer information except when required by legal process.

Thursday, May 11, 2006

NSA call monitoring details revealed, blocks Justice Department investigation

USA Today has reported that the NSA has been collecting a database of call detail records from data provided by AT&T, Verizon, and BellSouth (no word on whether SBC or other ILECs and CLECs have participated). Qwest is noteworthy for having refused to participate in the program.

The collected CDRs include records of calls which both originate and terminate within the United States (i.e., completely domestic calls).

The NSA's goal was allegedly "'to create a database of every call ever made' within U.S. borders," which is out of scope for the NSA's mission.

Arlen Specter of the Senate Judiciary Committee says that the telcos will be questioned about their participation.

In other news today, the NSA managed to kill an investigation by the Justice Department's Office of Professional Responsibility into whether Justice Department attorneys violated ethical rules with regard to the NSA's domestic spying. They did this by denying requested security clearances to OPR investigators.